Home / Crime / We know who you are … or do we?

We know who you are … or do we?

Talking about knowing where and who the customer is, I attended a fascinating discussion earlier in the week.

We were brainstorming security, trust and protection of critical financial infrastructures and had a variety of breakout groups looking at different aspects of such systems.

The breakout group I joined started with a scenario of the near future.

The scenario stated that: “the European Commission agrees standards for user-centric identity management standards”, and the group facilitator asked for our thoughts.

It seemed innocuous enough to me, so I expected a five minute chat about how that seemed like an obvious thing to do and move on.

But no, this scenario caused a great deal of debate amongst the financiers in the room that lasted over an hour!

Here are a few select thoughts and comments from the four bankers who I’ve called Alfred, Bert, Charlie and David for the purposes of the blog:

Alfred: What is "user-centric"?

Bert: The user manages their own identity rather than some central control.

Alfred: Can consumers be trusted to manage their own identity when they give everything away on Facebook, Bebo, etc?

Bert: what’s the alternative?

Alfred: Net-centric identity management, with everything controlled centrally.

Charlie: that’s no good if the user gets locked out though.

David: but the issue is not about stealing someone’s identity. You’re still you whatever happens, so you still have your identity. The issue is someone copying your identity.

Bert: that’s why net centric doesn’t work because someone can easily steal bits and bytes of identity data.

Alfred: yes, this is why user centric doesn’t work either.

Charlie: what about biometrics.  That's a way to maintain a unique identity isn't it?

Alfred: not really.  Biometric identity management is also just bits and bytes of data that can be compromised and copied.

David: sure, but that’s why we need the government to be involved here, as they have a role to give a legal context to identities.

Alfred: so who manages identity? The user, the government or someone else?

David: not a bank then?

General guffawing in the room.

Alfred: what about federated identities?

Bert: I’m not sure that works as you cannot have multiple identities. That’s the issue we have today. And, coming back to your point about who manages identity, it should be the user as they are closest to their own identity. Therefore, if we are concerned about people giving that data away, we need to educate and incentivise users to manage their identity better.

David: it’s not about identity; it’s about proving your identity with something. That something is based upon knowledge (a PIN, maiden name, password) and/or a token (card, mobile, chip).

Bert: how about a mobile telephone with a biometric reader in the phone, combined with an account number, PIN and password. Surely you’re getting towards an unbreakable system that way?

Alfred: I could break that just by knowing that data. The data is harder to get but it wouldn’t stop me.

Charlie: but is our concern identity or the fraud that comes from compromising identity and, if the latter, it’s not so great that it should cause us concern.

David: what’s not so great?

Charlie: fraud losses. I’m more concerned about credit losses.

Alfred: yet if identity is compromised it can lead to massive loss.

Bert: sure, and net centric and government controlled identities are all easily compromised. I mean every time I check into a hotel they get a copy of my passport along with all my credit card data. Similarly, some stores ask for photo identity and can steal my credit card and driving licence information at the checkout. So how easy is all that?

David: again, let’s clarify what we’re talking about here. A credit card is just a number that provides an access right to a financial transaction, right? It’s an access right but it’s not an identity, ok? The access right is proof of who you are and what we’re saying is that this is no longer sufficient.

Charlie: that’s a big point. It’s not identity itself but proof of identity that we need to focus upon.

Bert: and today it’s not enough because we give our access right data at systems all over the world using American operating systems, Chinese hardware and Israeli security software, and so there’s plenty of holes in the architecture that can be compromised.

Alfred: the key is to have a safe and secure electronic data stream to manage identity as all identifiers are translated into data.

And so it went on, and on, and on, and on …

… unbelievable how complex this identity stuff can get isn’t it?

About Chris M Skinner

Chris M Skinner
Chris Skinner is best known as an independent commentator on the financial markets through his blog, the Finanser.com, as author of the bestselling book Digital Bank, and Chair of the European networking forum the Financial Services Club. He has been voted one of the most influential people in banking by The Financial Brand (as well as one of the best blogs), a FinTech Titan (Next Bank), one of the Fintech Leaders you need to follow (City AM, Deluxe and Jax Finance), as well as one of the Top 40 most influential people in financial technology by the Wall Street Journal’s Financial News. To learn more click here...

Check Also

Who owns the customers’ data?

Following on from the discussions about identity on Monday, it gets interesting to think about …

  • Gentlemen,
    There is a new available solution to answer your concerns on biometry and identity theft, which enables to mutually authenticate a user and a service provider and to validate transaction on an independant secure channel.
    AXSionics has developped a security concept with a smart card in the user’s hand and a server on the ASP side. The smart card has a fingerprint scanner and a crypto chip. It means you enter your fingerprints templates once one the smart card and they get stored on your card. Using the card means comparing the presented finger with the templates. More information on the other features if you show interest!

  • Chris Skinner

    Hi Martine
    I normally delete comments with sales content, but yours is relevant so it stays 🙂
    Chris

  • Won’t the semantic web enable computers to verify your identity by reference to the unique pattern of a vast array of data points, rather than a few predictable (and therefore more likely replicable) items?

  • “Unbelievable how complex this identity stuff can get…”
    Which is exactly why, in the late ’90’s, a group of innovation leaders from a collection of the worlds leading Financial Institutions got together and created a Scheme based approach to managing such complexities- where upfront everyone knows exactly what they are (and are not) getting into; and are (& are not) liable for.
    A Scheme based approach that by definition gives interoperability (whether defined by geography by product or by customer vertical)
    Guys, the Technology aspect is invariably not the problem- whether it is PKI or bio or whatever, it does “what it says on the tin”;it is the human/legal/issuance & reliance aspects which get complex, and where risk and consequent loss lies in wait for the unwary.
    The Scheme (IdenTrust) is operational, working today in over 100 countries, has a decade of real (as compared to theoretical) experience behind it and continues to evolve/grow successfully and to solve such complexities today
    Happy Days !
    JohnB

  • “Unbelievable how complex this identity stuff can get…”
    Which is exactly why, in the late ’90’s, a group of innovation leaders from a collection of the worlds leading Financial Institutions got together and created a Scheme based approach to managing such complexities- where upfront everyone knows exactly what they are (and are not) getting into; and are (& are not) liable for.
    A Scheme based approach that by definition gives interoperability (whether defined by geography by product or by customer vertical)
    Guys, the Technology aspect is invariably not the problem- whether it is PKI or bio or whatever, it does “what it says on the tin”;it is the human/legal/issuance & reliance aspects which get complex, and where risk and consequent loss lies in wait for the unwary.
    The Scheme (IdenTrust) is operational, working today in over 100 countries, has a decade of real (as compared to theoretical) experience behind it and continues to evolve/grow successfully and to solve such complexities today
    Happy Days !
    JohnB